OpenVPN MI GUI

Description

It is based on the OpenVPN GUI by Mathias Sundman (version 1.0.3 from August 2005) which is shipped with OpenVPN, but had large parts of the backend adapted by Boris Wesslowski from Inside Security GmbH, commissioned by Conergy AG.

OpenVPN versions 2.1.x, 2.2.x are supported. OpenVPN 2.3.x too, but not all new features are supported yet.

Purpose

The original OpenVPN GUI encounters the following problems especially in enterprise or high security environments:

Users have no administrative rights, but unprivileged users do not have enough permissions to add and delete routes.

The GUI will exit on user logout closing all VPN tunnels and preventing e.g. remote VNC logins by an administrator.

The OpenVPN service wrapper can start one or more OpenVPN instances with enough rights, but the GUI has no control over them.

OpenVPN running as a service can not request passwords for certificates or user authentication data from the user directly or through the GUI.

The OpenVPN MI GUI talks to the management interfaces of OpenVPN instances started through the service wrapper and can overcome the above problems.

Where the <port_number> must be different for every configuration file so each instance of OpenVPN can be controlled through it's own port. You can for example start at 1194 and add 1 for every configuration file you add.

Additionally, using auth-nocache is recommended, or you may want to consider using management-forget-disconnect and management-signal.

Only the management option is actually required, if neither user authentication nor certificate passwords are in use you may omit the rest, including the management-hold option.

Like the original GUI the MI GUI can be configured on the command line or with global registry settings which must be initialized by an administrator.

Known issues

If OpenVPN configuration files are added, removed or changed while the MI GUI is running it may run into an inconsistent state. Since in such cases the OpenVPN service wrapper has to be restarted to activate the changes an additional restart of the MI GUI is usually not necessary.

When an OpenVPN instance exits the OpenVPN service wrapper will still be running and will not restart the missing instance. The OpenVPN MI GUI tries to avoid this, but cases remain where it can happen. The missing cancel button in the user authentication dialog is an example of a workaround of a case where OpenVPN would exit.

Using management-forget-disconnect with OpenVPN version 2.1.x will lead to problems due to a known bug in the included pkcs11-helper.

At system boot the MI GUI may be started before the OpenVPN service is running, this will trigger an error message.

The OpenVPN service may also be unavailable after the system was in standby or suspend mode. You may want to use the do_not_check_service option and NSSM to handle this case.

Download

OpenVPN MI GUI consists of a single executable file.

There are two variants: With and without support for changing the password of PEM and PKCS12 certificates. The one with support should be installed in the bin directory of your OpenVPN installation. The other can run from anywhere.